eaSYNC < 1.1.16 - Unauthenticated Arbitrary File Upload
CVE-2022-1952

9.8CRITICAL

Key Information:

Vendor: Wordpress
Status: Free Booking Plugin For Hotels, Restaurant And Car Rental – Easync
Vendor: CVE Published:; 11 July 2022

What is CVE-2022-1952?

The Free Booking Plugin for Hotels, Restaurant and Car Rental WordPress plugin before 1.1.16 suffers from insufficient input validation which leads to arbitrary file upload and subsequently to remote code execution. An AJAX action accessible to unauthenticated users is affected by this issue. An allowlist of valid file extensions is defined but is not used during the validation steps.

Affected Version(s)

Free Booking Plugin for Hotels, Restaurant and Car Rental – eaSYNC 1.1.16

References

https://wpscan.com/vulnerability/ecf61d17-8b07-4cb6-93a8-...

x_refsource_MISC

EPSS Score

90% chance of being exploited in the next 30 days.

CVSS V3.1

Score:

9.8

Severity:

CRITICAL

Confidentiality:

High

Integrity:

High

Availability:

High

Attack Vector:

Network

Attack Complexity:

Low

Privileges Required:

None

User Interaction:

None

Scope:

Unchanged

Download the Critical Vulnerability Management Cheat Sheet

Timeline

Vulnerability published
Jul 11, 2022
Vulnerability Reserved
May 31, 2022

Credit

cydave

Wordpress

What is CVE-2022-1952?

Affected Version(s)

References

EPSS Score

CVSS V3.1

Timeline

Credit